However, in a sufficiently large system, a pass-phrase alone is no
substitute for a username, pass-phrase combination during
authentication. The reason is not that a 30+ character pass-phrase is
theoretically statistically insecure. One commenter in Jeff’s post
mentioned:

I honestly don't care how improbable it would be, I want it to be
impossible.

Sorry, no system is unhackable.\
Impossible? The only system impossible to hack is one that does not
allow logins. Perhaps a lump of rock would be more to your taste? Even
with a username and password combination, it is not impossible to guess
a usernamen and password combination by pure accident . I might by pure
chance in haste mistype my credentials in such a way that I
inadvertently type in the username and password of another user. That’s
possible.

That’s probably within the same range of probability (and I’m hand
waving here) as guessing a 30+ character cryptographically generated
pass-phrase.

But there’s just one problem. Humans are not cryptographically strong
generators.

True Story\
When I was giving a presentation in college about random number
sequences, I asked my classmates to “generate” two random sequences of
ones and zeroes, each fifty numbers long. I stepped out of the room and
they generated the first sequence by just writing ones and zeroes on the
board as they saw fit, attempting to generate a random sequence. For the
second sequence, they flipped a coin fifty times and wrote those numbers
on the board.

They then summoned me into the classroom. I took a look at the two
sequences and quickly discerned which was generated by coin toss and
which was generated by consensus.

It turns out that we have a tendency, in an attempt to be random, to
assume that there will not be very long strings of the same number. So
in the sequence generated by hand, the longest sequence of the same
character was only three or four long. But in the random sequence of 50
coin tosses, I expected at least one sequence of the same number to be
around 5 or 6 characters long.

Psychology of secrets\
So back to the point. The problem in a system with a large number of
users is that psychology comes into play. You just know one or two
people are going to choose the phrase “Who let the dogs out?” If you
didn’t require a username and pass-phrase combo when authenticating, a
person could inadverdently access another user’s account. Instead of
attempting to guess one user’s account at a time, a hacker could be
guessing at ALL user’s accounts at the same time.

Now there are some potential ideas that could make this work, assuming
the benefit is worth it. One is to require that the pass phrase contain
a number and a punctuation mark. Another option is to also require that
the pass-phrase contain the username. So instead of the earlier
pass-phrase I mentioned, my pass-phrase might be “Who let the dogs out
Mr. Haacked?”